Troubleshooting
      Back to home
      1. Help Center
      2. Troubleshooting

      Logins After Account Deactivation

      This is what users are seeing after their account has been deactivated.

      Issue

      We’ve observed cases where users can still progress through the login flow after their account has been deactivated in Auth0. Specifically:

      • After entering their email and password, the account is prompted to choose an MFA method (Google Authenticator, SMS/phone, etc.).

      • After selecting an MFA option, the user is shown a banner:

        “Your account was deactivated. You can sign up again below.”

      This creates confusion because the login sequence appears normal up until the banner appears.

      Cause

      Auth0 continues to present the initial login and MFA screens even after an account is deactivated. However, the final step — granting access to the application — is blocked. The banner message is confirmation that the deactivation is effective.

      This does not mean the account was reactivated. It is the result of how Auth0 handles deactivated users in the login pipeline.

      Expected Behavior

      • Once an account is deactivated, no new valid sessions can be created.

      • Users may still see the login and MFA prompts, but they will ultimately be stopped by the deactivation banner.

      • Any existing sessions created prior to deactivation may remain usable until they expire (based on session lifetime and inactivity timeout).

      Resolution

      1. Confirm the account is marked as deactivated in Auth0.

      2. If the user reaches the MFA screen and then sees the deactivation banner, this is working as designed.

      3. If needed, revoke refresh tokens and clear active sessions for immediate termination.

      4. Instruct users to clear browser cache/cookies and reattempt login if they remain confused.

      Example Screenshot

      Prevention / Next Steps

      Review Auth0 session configuration:

      • Absolute session lifetime (e.g., 7 days).

      • Inactivity timeout (e.g., 3 days).

      • Enable Revoke Refresh Tokens on Logout and incorporate token revocation into the deactivation process.

      • Educate support staff:

        • Seeing an MFA prompt followed by a deactivation banner is expected.

        • The banner confirms the account remains inactive and cannot access resources.